Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

OilRig Sends an OopsIE to Mideast Government Targets

The Iran-linked group is using a variant of the data-exfiltration OopsIE trojan to attack a Mideast government entity.

The OilRig group is back, using a reboot of the OopsIE trojan to pump information from its favorite resource: entities in the Middle East region.

OilRig, which is also called Cobalt Gypsy, Crambus, Helix Kitten or PT34, is suspected of having ties to Iran. The group was identified in 2015 and is believed to be linked to the Iranian Intelligence agency and the Islamic Revolutionary Guard Corps (IRGC). They’re known for attacking energy, financial, aviation, infrastructure, government and university organizations, primarily in the Middle East.

The group has a history of not reinventing the wheel. It tends to use new iterations of previously identified tools and tactics to carry out its activities, according to Palo Alto’s Unit 42. That’s the case in the latest effort, which Unit 42 uncovered while investigating a separate spear phishing campaign.

While looking at the first effort, the firm discovered a second campaign going after a different governmental entity in the same country — mounted from the same infrastructure. This secondary email, written in Arabic, uses a “business continuity management training” lure in the subject line, which looked to be the result of reconnaissance work. The targeted organization had publicly published several documents regarding that exact subject on the web.

The email contained a malicious attachment that Palo Alto identified as a variant of the data-exfiltration OopsIE trojan, first identified in February 2018. However, the new version has been significantly enhanced with better stealth measures.

“In this iteration of OopsIE, the general functionality largely remained the same but contained the addition of anti-analysis and anti-virtual machine capabilities to further evade detection from automated defensive systems,” the researchers explained in an analysis posted Tuesday. They added that after going through a series of anti-VM and sandbox checks, if any are successful, the trojan will exit without running any of its functional code.

Further interesting enhancements include a CPU temperature check used by GravityRAT to enhance stealth, and a time-zone check; in the latter, the trojan aborts its mission if the system does not have a specific time zone set that corresponds to Iran, Israel, Saudi Arabia or a handful of other locations in the Middle East, indicating a high degree of targeting.

The move marks an advancement in sophistication for OilRig, which started off as a fairly unsophisticated player before going on to become a top APT active in the Mideast, according to researchers. It’s carried out some very interesting attacks, such as the one using a persona named Mia Ash, who was used to catfish men working in desirable positions at energy-sector firms with the goal of dropping the PupyRAT remote access tool onto their unsuspecting desktops.

“The OilRig group remains a persistent adversary in the Middle East region,” Unit 42 researchers said. “They continue to iterate and add capabilities to their tools while still functionally using the same tactics over and over again. Within the time frame we have been tracking the OilRig group, they have repeatedly shown a willingness to add less commonly found functionality to their tools, such as their heavy use of DNS tunneling in their backdoors or adding authentication to their webshells. This attack is no different, now adding anti-analysis capabilities into their tools. This adversary is highly resourceful and continues to adapt over time.”

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.